Biological recognition technology-based mobile payment device, method and apparatus, and storage medium

ABSTRACT

The present disclosure is related to a biological recognition technology-based mobile payment device, method and apparatus, and a storage medium. The method includes receiving, by a payment Trusted Application (TA) that operates in a Trusted Execution Environment (TEE) on a device, a call request from one of a plurality of third party payment applications that are installed on the device and operate with the payment TA, determining content to be encrypted and an encryption parameter for performing encryption based on the call request, acquiring a result of biometric recognition from a biometric recognition application, encrypting the content according to the encryption parameter and the result of biometric recognition and returning the encrypted content to the third party payment application that generates the call request, for the third party payment application to perform a pay tent-related operation based on the encrypted content.

This application claims priority of the Chinese Patent Application No.201510821881.8, filed on Nov. 23, 2015, and the Chinese PatentApplication No. 201510848445.X, filed on Nov. 27, 2015, which areincorporated herein by reference in their entirety.

TECHNICAL FIELD

The present disclosure is related to the field of mobile paymenttechnologies, and more particularly, to a biological recognitiontechnology-based mobile payment device, method and apparatus, and astorage medium.

BACKGROUND

Mobile payment is an online payment mode developed and popularized inrecent years. Traditional mobile payment modes require users to inputmulti-digit payment passwords to finish a payment procedure. To simplifyusers' operations, a biological recognition technology-based mobilepayment mode is developed, such as fingerprint payment. In this mode,the payment procedure is finished by collecting, recognizing andverifying a user's biological information, followed by determining thatverification of the user's biological information is successful, so thatthe user does not need to input the payment password.

As capital transactions are involved, mobile payment has stricterrequirements on payment environment security. Currently, TrustZonetechnologies provided by a British company ARM (Advanced RISC Machines)can offer reliable solutions for mobile payment security. According tothe standards of TrustZone technologies, mobile terminals are classifiedinto Rich Execution Environments (REE) and Trusted ExecutionEnvironments (TEE). REE is a common and non-confidential executionenvironment, in which operating systems of mobile terminals opera whileTEE is a secure and confidential execution environment. REE includesClient Applications (CAs), and Trusted Applications (TAs) operate in theTEE. Different from CAs in the REF, the TEE provides a series ofsecurity services for TAs, including the completeness of execution byapplications, secure storage, secure interaction with input and outputdevices, key management, encryption algorithms, secure communicationwith CA in the REE and the like. Take fingerprint payment as an example.A fingerprint recognition application includes CA and TA, wherein the TAof fingerprint recognition application is used to collect, recognize andverify fingerprint information, and provide the fingerprint informationverification result to the CA of the fingerprint recognitionapplication. If a third party payment application directly acquires theverification result from the CA of the fingerprint recognitionapplication, as the CA of the fingerprint recognition applicationoperates in an REE, the verification result acquired by the third partypayment application is incredible. Therefore, the third party paymentapplicant also includes CA and TA, wherein the TA of the third partypayment application directly acquires credible verification result fromthe TA of the fingerprint recognition application, and provides the sameto the CA of the third party payment application, so that authenticityand reliability of the acquired verification result is ensured.

In actual application, a user may need to stall and operate multiplethird party payment applications in one mobile terminal. For example,one mobile terminal simultaneously supports two third party paymentapplications including Alipay application and a Wechat application.Currently, TAs of third party payment applications are installed inmobile terminals using the following two manners: a. before the mobileterminals leave the, factory, TAs of third party payment applicationsare pre-installed in the TEE of the mobile terminals: and b. of thirdparty payment application are developed and signed of the form ofService Provider SP TAs, and are downloaded into the TEE of the mobileterminals afterwards. However, no matter which installation manner isused, if one mobile terminal needs to simultaneously support multiplethird party payment applications, the following problems will arise:

first, since only TA is digitally signed, can the TA pass its identityverification by the Trusted Operating System (OS) of the TEE andnormally operate in the TEE; however, performing digital signatures forTAs needs payment of certain fees to companies providing TrustZonetechnologies, so multiple items of signature fees need to be paid for amobile terminal simultaneously supporting multiple third party paymentapplications, and the cost is increased;

second, since the TEE stores important confidential information such ascontact information, International Mobile Equipment Identity (IMEI) andthe like, which is visible to the TAs opening in the TEE, if a maliciousthird party payment application as installed in the mobile terminal, theimportant confidential information stored in the TEE may be willfullyread, so the TEE has a high security risk.

SUMMARY

Aspects of the disclosure provide a method for performing biometricsbased payment. The method includes receiving, by a payment TrustedApplication (TA) that operates in a Trusted Execution Environment (TEE)on a device, a call request from one of a plurality of third partypayment applications that are installed on the device and operate withthe payment TA, determining content to be encrypted and an encryptionparameter for performing encryption based on the call request, acquiringa result of biometric recognition from a biometric recognitionapplication, encrypting the content according to the encryptionparameter and the result of biometric recognition and returning theencrypted content to the, third party payment application that generatesthe call request, for the third party payment application to perform apayment-related operation based on the encrypted content.

Further, in an example, the method includes detecting whether anapplication key corresponding to the third party payment applicationexists in the payment PA at a time to activate the third party paymentapplication for a biometric recognition based payment function,determining a first key generation algorithm, a first data encryptionalgorithm, a second key generation algorithm and a second dataencryption algorithm based on the call request when no application keycorresponding to the third party payment application exists in thepayment TA, generating the application key for the third party paymentapplication using the first key generation algorithm, encrypting theapplication key using the first data encryption algorithm and a devicekey of the device, generating a user key corresponding to a user accountusing the second key generation algorithm, encrypting the user key usingthe second data encryption algorithm and the application key andreturning the encrypted application key and the encrypted user key tothe third party payment application for the third party paymentapplication to provide the encrypted application key and the encrypteduser key to a sever.

In another example, the method includes detecting whether an applicationkey corresponding to the third party payment application exists in thepayment PA at a time to activate the third party payment application fora biometric recognition based payment function, determining a keygeneration algorithm and a data encryption algorithm based on the callrequest when the application key corresponding to the third partypayment application exists in the payment TA, generating a user keycorresponding to a user account using the key generation algorithm,encrypting the user key using the data encryption algorithm and theapplication key and returning the encrypted user key to the third partypayment application for the third party payment application to providethe encrypted user key to a server.

To encrypt the content according to the encryption parameter and theresult of biometric recognition, the method includes detecting whetherthe result of biometric recognition indicates a success of biometricverification when the third party payment application performs a paymentoperation for a user account, encrypting the content using theencryption parameter and a user key corresponding to the user account toobtain an encryption result and returning the encryption result to thethird party payment application for the third party payment applicationto provide the encryption result to a server.

According to an aspect of the disclosure, the biometric recognitionapplication receives the call request from the third, party paymentapplication, collects, recognizes and verifies biometrics to obtain theresult of biometric recognition, and sends the result of biometricrecognition to the third party payment application; and when the resultof biometric recognition indicates that verification of biometrics issuccessful, the third party payment application sends the call requestto the payment TA.

In an example, the third party payment application is a ClientApplication (CA) operating in a Rich Execution Environment (REE) in thedevice.

Aspects of the disclosure provide an apparatus that includes a processorand a memory storing instructions executable by the processor toexecute, a payment Trusted Application (TA) operating in a TrustedExecution Environment (TEE) to serve a plurality of third party paymentapplications and to execute a biometric recognition application Theprocessor is configured to receive, by the payment TA, a call requestfrom one of the third party payment applications, determine content tobe encrypted and an encryption parameter for performing encryption basedon the call request, acquire a result of biometric recognition from thebiometric recognition application, encrypt the content according to theencryption parameter and the result of biometric recognition and returnthe encrypted content to the third. party payment application thatgenerates the call request, for the third party payment application toperform a payment-related operation based on the encrypted content.

In an example, the processor is farther configured to detect whether anapplication key corresponding to the third party payment applicationexists in the payment PA at a time to activate the third party paymentapplication for a biometric recognition based payment function,determine a first key generation algorithm, a first data encryptionalgorithm, a second key generation algorithm and a second dataencryption algorithm based on the call request when no application keycorresponding to the third party payment application exists in thepayment TA, generate the application key for the third party paymentapplication using the first key generation algorithm, encrypt theapplication key using the first data encryption algorithm and a devicekey of the apparatus, generate a user key corresponding to a useraccount using the second key generation algorithm, encrypt the user keyusing the second data encryption algorithm and the application key andreturn the encrypted application key and the encrypted user key to thethird pay payment application for the third party payment application toprovide the encrypted application key and the encrypted user key to aserver.

In another example, the processor is configured to detect whether anapplication key corresponding to the third party payment applicationexists in the payment PA at a time to activate the third party paymentapplication for a biometric recognition based payment function,determine a key generation algorithm and a data encryption algorithmbased on the call request when the application key corresponding to thethird party payment application exists in the payment TA, generate auser key corresponding to a user account using the key generationalgorithm, encrypt the user key using the data encryption algorithm andthe application key and return the encrypted user key to the third partypayment application for the third party payment application to providethe encrypted user key to a server.

According to an aspect of the disclosure, the processor is configured todetect whether the result of biometric recognition indicates a successof biometric verification when the third party payment applicationperforms a payment operation for a user account, encrypt the contentusing the encryption parameter and a user key corresponding to the useraccount to obtain an encryption result and return the encryption resultto the third party payment application for the third party paymentapplication to provide the encryption result to a server.

In an example, the processor is configured to perform the biometricrecognition application to receive the call request from the third partypayment application, collect, recognize and verify biometrics to obtainthe, result of biometric recognition, and send the result of biometricrecognition to the third party payment application; and when the resultof biometric recognition indicates that verification of biometrics issuccessful, the third party payment application sends the call requestto the payment TA.

Aspects of the disclosure provide a non-transitory computer-readablestorage medium having stored therein instructions that, when executed bya processor of a mobile terminal device, causes the mobile terminaldevice to perform operations for biometric recognition based payment.The operations include receiving, by a payment Trusted Application (TA)that operates in a Trusted Execution Environment (TEE) on the mobileterminal device to serve a plurality of third party payment applicationsinstalled on the mobile terminal device, a call request from one of thethird party payment applications, determining content to be encryptedand an encryption parameter for performing encryption based on the callrequest, acquiring a result of biometric recognition from a biometricrecognition application, encrypting the content according to theencryption parameter and the result of biometric recognition andreturning the encrypted content to the third party payment applicationthat generates the call request, for the third party payment applicationto perform a payment-related operation based on the encrypted content.

It should be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory onlyand are not restrictive of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate embodiments consistent with theinvention and, together with the description, serve to explain theprinciples of the invention.

FIG. 1 is a block view showing a biological recognition technology-basedmobile payment device according to an exemplary embodiment;

FIG. 2 is a block view showing a biological recognition technology-basedmobile payment device according to another exemplary embodiment;

FIG. 3 is a flow chart showing a biological recognition technology-basedmobile payment method according to an exemplary embodiment;

FIG. 4 is a flow chart showing biological recognition technology-basedmobile payment method according to another exemplary embodiment;

FIG. 5 is a flow chart showing a biological recognition technology-basedmobile payment method according to yet another exemplary embodiment;

FIG. 6 is a flow chart showing a biological recognition technology-basedmobile payment method to yet another exemplary embodiment;

FIG. 7 is a block view showing a mobile payment device according to anexemplary embodiment.

DETAILED DESCRIPTION

Reference will now be made in detail to exemplary embodiments, examplesof which are illustrated in the accompanying drawings. The followingdescription refers to the accompanying drawings in which the samenumbers in different drawings represent the same or similar elementsunless otherwise presented. The embodiments set forth the followingdescription of exemplary embodiments do not represent all embodimentsconsistent with the invention. Instead, they are merely examples ofapparatuses and methods consistent with aspects related to the inventionas recited in the appended claims.

The mobile payment device involved in this disclosure may be a cellphone, a tablet computer, a mobile Personal Computer (PC), a PersonalDigital Assistant (PDA) or other mobile terminal devices. The mobilepayment deice is provided with a sensor for collecting biologicalinformation, and has a biological recognition (biometric recognition)technology-based payment function. The biological information includesbut is not limited to one or more of fingerprints, irises, retinas,genes, voices, human faces, palm geometry, veins, gaits, handwriting.For example, the mobile payment device is provided with a fingerprintsensor and has a fingerprint payment function.

According to an exemplary embodiment of the present disclosure, there isprovided a biological recognition technology-based mobile paymentdevice, comprising: a biological information recognition application anda general payment Trusted Application (TA) operating in a TrustedExecution Environment (TEE), wherein;

the general payment TA is configured to: be called by multiple thirdparty payment applications; receive a call request from the third partypayment application; based on the call request, determine tar_(g)etcontent to be encrypted and an encryption parameter for performingencryption; acquire a biological information recognition result from thebiological information recognition application; encrypt the targetcontent according to the encryption parameter and the biologicalinformation recognition result; and return an encryption result to thethird party payment application, so that the third party paymentapplication performs a payment-related operation based on the encryptionresult.

By installing and operating a general payment TA that can be called bymultiple third party payment applications in a TEE, the followingproblems in the related arts are solved: when a mobile terminal needs tosupport multiple third party payment applications, as multiplecorresponding TAs need to be installed in the TEE, the cost isincreased, and the TEE has a high security risk; and the followingeffects are achieved: as multiple third party payment applications shareone general payment TA, it is unnecessary to install multiple TAs in theTEE, so that the, signature fee is reduced and thus the cost is reduced;a mobile terminal is effectively prevented from being installed with aTA of a malicious third party payment application, so that the securityrisks of the TEE are reduced.

Optionally, the general payment TA is also configured to: when the thirdparty payment application activates a biological recognitiontechnology-based payment function, if the general payment TA has notstored an application key corresponding to the third party paymentapplication, generate the application key corresponding to the thirdparty payment application using a first key generation algorithm, andencrypt the application key using a first data encryption algorithm anda device key;

the general payment TA is also configured to: generate a user keycorresponding to a target user account using a second key generationalgorithm, and encrypt the user key using a second data encryptionalgorithm and the application key,

wherein the general payment TA returns the encrypted application key anduser key to the third party payment application so as to provide thesame to a background server via the third party payment application,

the encryption parameter comprises the first key generation algorithm,the first data encryption algorithm, the second key generation algorithmand the second data encryption, algorithm, and is indicated by the callrequest when the third party payment application calls the generalpayment TA.

Optionally, the general payment TA is also configured to: when the thirdparty payment application activates a biological recognitiontechnology-based payment function, if the general payment TA has storedan application key corresponding to the third party payment application,generate a user key corresponding to a target user account using asecond key generation algorithm, and encrypt the user key using a seconddata encryption algorithm and the application key,

wherein the general payment TA returns the encrypted user key to thethird party payment application so as to provide the same to abackground server via the third party payment application,

the encryption parameter comprises the second key generation algorithmand the second data encryption algorithm, and is indicated by the callrequest when the third party payment application calls the generalpayment TA.

Through the above mode, during the activation stage of the biologicalrecognition technology-based payment function, the general payment TAgenerates a user key corresponding to a target user account, andprovides the same to a background server, so thin. the background servercan verify the validity of the user's identity using the user key in thefollowed payment stage, thereby ensuring the transaction security.

Optionally, the general payment TA is also configured to: when the thirdparty payment application performs a payment operation regarding atarget user account, if the biological information recognition resultindicates that verification of biological information as successful,encrypt the target content us mg the encryption parameter and a user keycorresponding to the target user account to obtain an encryption result,

wherein the general payment TA returns the encryption result to theparty payment application so as to provide the same to a backgroundserver via the third party payment application.

Through the above mode, during the payment stage of the target useraccount, the general payment TA encrypts the target content to beverified by the background server using the user key corresponding tothe target user account, and feeds the encryption result back to thebackground server, so that the background server can verify the validityof he user's identity based on the decryption result, thereby ensuringthe security.

Optionally, after the biological information recognition applicationreceives the call request from the third party payment application, thebiological information recognition result is acquired by collecting,recognizing and verifying the biological information, and is sent by thebiological information recognition application to the third partypayment application; and

the third party payment application is configured to, when thebiological information recognition result acquired from the biologicalinformation recognition application indicates that verification of theinformation is successful, send the call request to the general paymentTA.

Through the above mode, to third party payment application firstanalyses the biological information recognition result, and calls thegeneral payment TA to perform a payment-related operation whenverification of the biological information is successful, so thatwasteful calling is avoided, thereby ensuring the reasonableness andstandardization of the calling procedure.

Optionally, the general patent TA comprises an algorithm managementmodule, a key management module, a data encrypt module, a resultacquisition module and a key storage module, wherein:

the algorithm management module is configured to manage a biologicalrecognition technology-based algorithm used by the third party paymentapplication, wherein the algorithm comprises at least one key generationalgorithm and at least one data encryption algorithm,

the key management module is configured to generate a key required forperforming the payment-related operation by using the key generationalgorithm;

the data encryption module is configured to encrypt the target contentto be encrypted by using the data encryption algorithm;

the result acquisition module is configured to acquire the biologicalinformation recognition result from the biological informationrecognition application;

the key storage module is configured to store the key generated by thekey management module.

Through the above mode, the function realization of the general paymentTA is more general, so that the general payment TA can support multiplethird party payment applications frequently used by the user,

Optionally, the third party payment application is a Client Application(CA) operating in a Rich Execution Environment (REE).

FIG. 1 is a block view showing a biological recognition technology-basedmobile payment device according to an exemplary embodiment. As shown inFIG. 1, the mobile payment device comprises a REE10 and a TEE20.

A CA12 of a biological information recognition application operates inthe REE10.

A general payment TA24 and a TA22 of the biological informationrecognition application operate in the TEE20.

The general payment TA24 be called by CA14 of multiple third partypayment applications. In the embodiments disclosure, if the mobilepayment device needs to support multiple third party paymentapplications simultaneously, only the CA14 of the multiple third partypayment applications need to be installed and operated in a mobileterminal deice, the CA14 of the multiple third party paymentapplications sharing one general payment TA24.

After the CA12 of the biological information recognition application iscalled the CA14 of the third party payment application, the TA22 of thebiological information recognition application is called. The TA22 ofthe biological recognition application is used to collect, recognize andverify biological information. After the general payment TA24 is calledby the CA14 of the third party payment application the general paymentTA24 determines target content to be encrypted and an encryptionparameter for performing encryption based on the call request, acquiresbiological information recognition result from the TA22 of thebiological information recognition application; encrypts the targetcontent according to the encryption parameter and the biologicalinformation recognition result; and returns an encryption result to theCA14 of the third party payment application, so that the CA14 of thethird party payment application performs a payment-related operationbased on the encryption result.

To sum up, with the mobile payment device provided by this embodiment,by installing and operating a general payment TA that can be called bymultiple third party payment applications in a TEE, the followingproblems in the related arts are solved: when a mobile terminal needs tosupport multiple third party payment applications, as multiplecorresponding TAs need to be installed in the TEE, the cost isincreased, and the TEE has a high security risk; and the followingeffects are achieved; as multiple third party payment applications shareone general payment TA, it is unnecessary to install multiple TAs in theTEE, so that the signature fee is reduced and thus the coast is reduced;and a mobile terminal is effectively prevented from being installed witha TA of a malicious third party payment application, so that thesecurity risks of the TEE are reduced.

FIG. 2 is a block view showing a biological recognition technology-basedmobile payment device according to another exemplary embodiment. Asshown in FIG. 2, the mobile payment device comprises a REE10 and aTEE20.

A CA12 of a biological information recognition application operates inthe REE10.

A general payment TA24 and a TA22 of the biological informationrecognition application operate in the TEE20.

The general payment TA24 may be called by CA14 of multiple third partypayment applications.

After the CA12 of the biological information recognition application iscalled by the CA14 of the third party payment application, TA22 of thebiological information recognition application called. The TA22 of thebiological information recognition application is used to collect,recognize and verify biological information. After the general paymentTA24 is called by the CA14 of the third party payment application, thegeneral payment TA24 determines target content to be encrypted and anencryption parameter for performing encryption based on the callrequest, acquires a biological information recognition result from theTA2 of the biological information recognition application encrypts thetarget content according to the encryption parameter and the biologicalinformation recognition result; and returns an encryption result to theCA14 of the third party payment application, so that the CA14 of thethird party payment application performs a payment-related operationbased on the encryption result.

In this embodiment, shown in FIG. 2, the general payment comprises analgorithm management module 241, a key management module 242, a dataencryption module 243, a result acquisition module 244 and a key storagemodule 245.

The algorithm management module 241 manage a biological recognitiontechnology-based algorithm used by the third party payment application.The algorithm comprise at least one key generation algorithm and atleast one data encryption algorithm. The key generation algorithm refersto an algorithm for generating a key required for performing thepayment-related operation. In this embodiment, the key generationalgorithm is used to generate an application key corresponding to thethird party payment application and a user key corresponding to a useraccount for logging on the third party payment application. The dataencryption algorithm refers to an algorithm for encrypting the targetcontent, in, the payment procedure, the target content may includecontent determined through negotiation between the CA14 of the thirdparty payment application and the background server, such as an ordernumber. In the activation procedure (i.e in the procedure of activatinga biological recognition technology-based payment function), the targetcontent may include the generated application key or the user key.Considering that in this embodiment, the general payment TA24 is sharedby the CA14 of the multiple third party payment applications, anddifferent third party payment applications may have differentrequirements on the key generation algorithm and the data encryptionalgorithm, even when the same third party payment application generatesdifferent keys or encrypts different content, different key generationalgorithms or different data encryption algorithms may be used.Therefore, the algorithm management module 241 manages at least one keygeneration algorithm and at least one data encryption algorithm. Forexample, several common key generation algorithms and several commondata encryption algorithms are configured. in the algorithm managementmodule 241. In addition, the data encryption algorithm may be a digitalsignature algorithm.

Optionally, the above algorithm further includes at least one data hashalgorithm. The data hash algorithm refers to an algorithm used forextracting a hash value of the target content to be encrypted. When thedata encryption algorithm is used, the extracted hash value isencrypted. Based on the same reason, as the general payment TA24 isshared by the CA14 of the multiple third party payment applications, thealgorithm management module 241 manages at least one data hashalgorithm. For example, several common data hash algorithms areconfigured in the algorithm management module 241.

The key management module 242 is configured to generate a key requiredfor performing the payment-related operation by using the key generationalgorithm. The key generation algorithm used here is indicated by aparameter in a call request when the CA14 of the third party paymentapplication calls the general payment TA24.

The data encryption module 243 is configured to encrypt the targetcontent to be encrypted by using the data encryption algorithm. The dataencryption algorithm used here is indicated by a parameter in a callrequest when the CA14 of the third party payment application calls thegeneral payment TA24. Optionally, if the data encryption algorithm is adigital signature algorithm, the data encryption module 243 isconfigured to perform digital signature to the target content using thedigital signature algorithm.

The result acquisition module 244 is configured to acquire thebiological information recognition result from the TA22 of thebiological information recognition application. In the embodiments ofthis disclosure, the biological information recognition application isused to recognize one or more of the following biological information:fingerprints, irises, retinas, genes, voices, human faces, palmgeometry; veins, gaits, handwriting. With reference to FIG. 2, the TA22of the biological information recognition application comprises acollection module 221, an algorithm module 222, a recognition module 223and a storage module 224. The collection module 221 is configured toacquire the original data of the biological information collected by asensor. Take fingerprints as an example, when the fingerprint sensor isa camera, the collection module 221 is configured to acquire fingerprintimages collected by the camera. The algorithm module 222 is configuredto convert the original data of the biological information into digitaldata. By doing so, on one hand, storage space occupied by the biologicalinformation can be effectively reduced; on the other hand, since theoriginal data of the biological information that is directed stored hasa risk of being copied, after convening the original data of thebiological information into digital data, security of the biologicalinformation is improved. The recognition module 223 is configured tomatch and verify the currently collected biological information withpre-stored biological information to obtain a recognition result. Thestorage module 224 is configured to store the recognition result and thebiological information.

The key storage module 245 is configured to store the key generated bythe key management module 242. In this embodiment, the key storagemodule 245 is configured to store the application key and the user key

Optionally, the key management module 242 is also configured to processthe key using a security protection algorithm, and store the processedkey in the key storage module 245. The security protection algorithmrefers to an algorithm used for protecting the security of a key,including but not limited to a data encryption algorithm, a dataseparating and assembling algorithm and the like.

The followings describe the system provided by the present embodimentfrom an activation procedure (i.e., the procedure of activating abiological recognition technology-based payment function) and a paymentprocedure.

1. The activation procedure (take a target user account of the thirdparty payment application as an example)

A CA14 of a third party payment application is used to call a generalpayment TA24 to request the general payment TA24 to generate a user keycorresponding to a target user account.

If an application key corresponding to the third party paymentapplication has not been stored in the key storage module 245, thegeneral payment TA24 is used to generate the application keycorresponding to the third party payment application using a first keygeneration algorithm; the data encryption module 243 encrypts theapplication key using a first data encryption algorithm and a devicekey; the general payment TA24 returns the encrypted application key tothe CA14 of the third party payment application so as to provide thesame to a background server. The general payment TA24 is also used togenerate a user key corresponding to the target user account using asecond key generation algorithm; the data encryption module 243 encryptsthe user key using a second data encryption algorithm and theapplication key; the general payment TA24 returns the encrypted user keyto the CA14 of the third party payment application so as to provide thesame to the background server. The first key generation algorithm, thefirst data encryption algorithm, the second key generation algorithm andthe second data encryption algorithm used here are indicated by a callrequest when the CA14 of the third party payment application calls thegeneral payment TA24.

If an application key corresponding to the third party paymentapplication has been stored in the key storage module 245, the generalpayment TA24 is used to generate a user key corresponding to the targetuser account using a second key generation algorithm; the dataencryption module 243 encrypts the user key using a second dataencryption algorithm and the application key; the general payment TA24returns the encrypted user key to the CA14 of the third party paymentapplication so as to provide the same to the background server. Thesecond key generation algorithm and the second data encryption algorithmused here are indicated by a call request when the CA14 of the thirdparty payment application calls the general payment TA24.

Optionally, one or more of the device key, the application key and theuser key is/are (an) asymmetrical key(s).

2. The payment procedure (take a target user account of the third partypayment application as an example)

A CA14 of a third party payment application is used to call a CA12 of abiological information recognition application, and request the CA12 ofthe biological information recognition application to call TA22 of thebiological information recognition application to collect, recognize andverify biological information.

The CA14 of the third party payment application so used to negotiatewith a background server target content to be verified in the paymentprocedure. After the CA12 of the biological information recognitionapplication acquires biological information recognition result, thegeneral payment TA24 is called and request encrypt the target content.

The general payment TA24 is used to acquire the biological informationrecognition result from the TA22 of the biological informationrecognition application via the result acquisition module 244. After thebiological information recognition result indicates that verification ofthe biological information is successful, the data encryption module 243encrypts the target content using a designated data encryption algorithmand a user key corresponding to the target user account to obtain anencryption result.

The CA14 of the third party payment application is also used to acquirethe encryption result from the general payment TA24, and send the sameto a background server. The background server is used to decrypt theencryption result using the user key corresponding to the target useraccount to obtain a decryption result, and finish the payment procedureif the decryption content is consistent with the target content.

To sum up, with the mobile payment device provided by this embodiment,by installing and operating a general payment IA that can he called bymultiple third party payment applications in a TEE, the followingproblems in the related arts are solved; when a mobile terminal needs tosupport multiple third party payment applications, as multiplecorresponding TAs need to be installed in the TEE, the cost isincreased, and the TEE has a high security risk; and the followingeffects are achieved: as multiple third party payment applications shareone general payment TA, it is unnecessary to install multiple TAs in theTEE, so that the signature fee is reduced and thus the cost is reduced:a mobile terminal is effectively prevented from being installed with aTA of a malicious third party payment application, so that the securityrisks of the TEE are reduced,

In addition, considering that different third party payment applicationsmay have different requirements on the key generation algorithm and thedata encryption algorithm, by configuring several common algorithms inthe general payment TA in advance, the general payment TA can supportdifferent third party payment applications frequently used by the user.In addition, since the algorithms stored in the general payment TA canbe updated when the devices are updated afterwards, the general paymentTA is able to be compatible with more third party payment applications.

It should be noted that, when the general payment TA realizes itsfunctions in the above embodiments, examples are described based on thedivision of the respective functional modules; however, in actualapplication, the above functions may be realized by different functionalmodules according to the actual needs to realize all or part of theabove described functions,

FIG. 3 is a flow chart showing a biological recognition technology-basedmobile payment method according to an exemplary embodiment. The methodmay be applied to the general payment TA operating in the mobile paymentdevice provided by the embodiment Shown in FIG. 1 or 2. The method maycomprise;

Step 302: receiving a call request from the third party paymentapplication;

Step 304: based on the call request, determining target content to beencrypted and an encryption parameter for performing encryption;

Step 306: acquiring a biological information recognition result from abiological information recognition application;

Step 308: encrypting the target content according to the encryptionparameter and the biological information recognition result; and

Step 310: returning an encryption result to the third party paymentapplication, so that the third party payment application performs apayment-related operation based on the encryption result.

To sum up, with the mobile payment method provided by this embodiment,by installing and operating a general payment TA that can be called bymultiple third party payment applications in a TEE, the followingproblems in the related arts are solved: when a mobile terminal needs tosupport multiple third, party payment applications, as multiplecorresponding TAs need to be installed in the TEE, the cost isincreased, and the TEE has a high security risk; and the followingeffects are achieved: as multiple third party payment applications shareone general payment TA, it is unnecessary to install multiple TA in theTEE, so that the signature fee is reduced and thus the cost is reduced;a mobile terminal is effectively prevented from being installed with aTA of a malicious third party payment application, so that the securityrisks of the TEE are reduced,

Optionally, when the third party payment application activates abiological recognition technology-based payment function, the methodfurther comprises:

if the general payment TA has not stored an application keycorresponding to the third party payment application, generating theapplication key of the third party payment application using a first keygeneration algorithm, and encrypting the application key using a firstdata encryption algorithm and a device key;

generating a user key corresponding to a target user account using asecond key generation algorithm, and encrypting the user key using asecond data encryption algorithm and the application key;

returning the encrypted application key and user key to the third partypayment application so as to provide the same to a background server viathe third party payment application,

wherein the encryption parameter comprises the first key generationalgorithm, the first data encryption algorithm, the second keygeneration algorithm and the second data encryption algorithm, and isindicated by the call request when the third party payment applicationcalls the general payment TA.

Optionally, when the third party payment application activates abiological recognition technology-based payment function, the methodfurther comprises;

if the general ;payment TA has stored an application key correspondingto the third party payment application, generating a user keycorresponding to a target user account using a second key generationalgorithm, and encrypting the user key using a second data encryptionalgorithm and the application key,

returning the encrypted user key to the third party payment applicationso as to provide the same to a background server via the third partypayment application,

wherein the encryption parameter comprises the second key generationalgorithm and the second data encryption algorithm, and is indicated bythe call request when the third party payment application calls thegeneral payment TA.

Optionally, when the third party payment application performs a paymentoperation regarding a target user account, encrypting the target contentaccording, to the encryption parameter and the biological informationrecognition result comprises;

if the biological information recognition result indicates thatverification of biological information is successful, encrypting thecontent using encryption parameter and a user key corresponding to thetarget user account to obtain an encryption result, and returning theencryption result to the third party payment application so as toprovide the same to a background server via the third party paymentapplication.

Optionally, after the biological information recognition applicationreceives the call request from the third party payment application, thebiological information recognition result is acquired by collectingrecognizing and verifying the biological information, and is sent by thebiological information recognition application to the third partypayment application; and

when the biological information recognition result acquired from thebiological information recognition application indicates thatverification of the biological information is successful, the thirdparty payment application sends the call request to the general paymentTA.

Optionally, the third party payment application is a Client Application(CA) operating in a Rich Execution Environment REE.

FIG. 4 is a flow chart showing a biological recognition technology-basedmobile payment method according to another exemplary embodiment. Themethod may comprise:

Step 402: calling a CA of a biological information recognitionapplication by a CA of a third party payment application to request theCA of the biological information recognition application to call a TA ofthe biological information recognition application so as to collectrecognize and verify biological information;

Step 404: calling a general payment TA by the CA of the third partypayment application;

Step 406: receiving by the general payment TA a call request from thethird party payment application; based on the call request, determiningby the general payment TA target content to be encrypted and anencrypted and an encryption parameter for performing encryption:acquiring by the general payment TA a biological information recognitionresult from the TA of the biological information recognitionapplication; encrypting by the general payment TA the target contentaccording to the encryption parameter and the biological informrecognition result; and returning by the general payment TA anencryption result to the CA the third party payment application, so thatthe CA of the third party payment application performs a payment-relatedoperation based on the encryption result.

To sum up, with the mobile payment method provided by this embodiment,by installing and operating a general payment TA that can be called byCAs of multiple third party payment applications in a TEE, the followingproblems in the related arts are solved: when a mobile terminal needs,to support multiple third party payment applications, a multiplecorresponding TAs need to be installed in the TEE, the cost isincreased, and the TEE has a high security risk; and the effectsachieved: as the CAs of the multiple third party payment applicationsshare one general payment TA, it is unnecessary to install multiple TAsin the TEE, so that the signature fee is reduced and thus the cost isreduced; a mobile terminal is effectively prevented from being installedwith a TA of a malicious third party payment application, so that thesecurity risks of the TEE are reduced.

The followings will describe the two method embodiments shown in FIGS.5-6 from an activation procedure and a payment procedure.

In the embodiment shown in FIG. 5, an activation procedure of a targetuser account of a third party payment application is taken as anexample. As showing FIG. 5, the activation procedure may comprise:

Step 501: calling a general payment TA by a CA of a third party paymentapplication to request the general payment TA to generate an applicationkey corresponding to the third party payment application.

The call request contains a first request parameter indicating a mannerby which the general payment TA generates a key. According to theregulations of Java Cryptography Architecture (JCA), in a possibleembodiment, the first request parameter includes a provider parameter,an alias parameter and an algorithm parameter. The provider parameterindicates calling of the general payment TA. The alias parameterindicates a manner of generating an application key, which may be anidentification of the party payment application. In this case, themanner of generating a key can he determined based on the identificationof the party payment application. The algorithm parameter indicates analgorithm used for generating a key.

Step 502: detecting by the general payment TA if an application keycorresponding to the third party payment application has been stored ifnot, executing. Step 503; if yes, feeding information indicating thatthere is an application key back to the CA of the third party paymentapplication.

Step 503: generating by the general payment TA the application key usinga first key generation algorithm.

Step 504: encrypting by the general payment TA the application key usinga first data encryption algorithm and a device key to obtain anencrypted application key.

Optionally, if the device key is an asymmetrical key, the generalpayment TA encrypts the application key using the first data encryptionalgorithm and a private key of the device key to obtain the encryptedapplication key.

Optionally, if the first data encryption algorithm is a digitalsignature algorithm, the general payment TA signs the application keyusing the digital signature algorithm and a key according to the devicekey to obtain the signature result of the application key.

Step 505: feeding by the general payment TA the encrypted applicationkey back to the CA of the third party payment application.

Step 506: sending the encrypted application key by the CA of the thirdparty payment application to a background server.

Step 507: storing the application key by the background server.

After receiving the encrypted application key from of the third partypayment application, the background server using the device key,acquires and stores the decrypted application key.

Optional, if the device key is an asymmetrical key, the backgroundserver decrypts the application key using public key of the device key,acquires and stores the decrypted application key.

In addition, after the CA of the third party payment applicationreceives the application key fed back by the general payment TA, Step508 is executed.

Step 508 : calling; the general payment TA by the CA of the third partypayment application to request the general payment TA to generate a userkey corresponding to a target user account.

The call request contains a second request parameter indicating a mannerby which the general payment TA generates a user key. In a possibleimplementation, the second request parameter includes a providerparameter, an alias parameter and an algorithm parameter. The providerparameter indicates calling of the general payment TA. The aliasparameter indicates a manner of generating a use key, which for examplemay be an identification of the third party payment application and thetarget user account. The algorithm parameter indicates an algorithm usedfor generating the user key.

Step 509: generating by the general payment TA the user key using asecond key generation algorithm.

Step 510: encrypting by the general payment TA the user key using asecond data encryption algorithm and the application key to obtain anencrypted user key.

Optionally, if the application key is an asymmetrical key, the generalpayment TA encrypts the user key using the second data encryptionalgorithm and, a private key of the application key to obtain theencrypted user key.

Optionally, if the second data encryption algorithm is a digitalsignature algorithm, the general payment TA signs the user key using thedigital signature algorithm, and the application key to obtain asignature result of the user key.

Step 511: feeding by the general payment TA the encrypted user key hackto the CA of the third party payment application.

Step 512: sending the encrypted user key by the CA of the third partypayment application to a background server.

Step 513: storing the user key b the background server.

After receiving the encrypted user key from the CA of the third partypayment application, the background server decrypts the same using theapplication key, acquires and stores the user key.

Optionally, if the application key is an asymmetrical key, thebackground server decrypts the user key using a public key of theapplication key, acquires and stores the user key.

In the embodiment shown in FIG. 6, a payment procedure of a target useraccount of a third party payment application is taken as an example. Asshown in FIG. 6, the payment procedure may comprise:

Step 601: calling a CA of a biological information recognitionapplication by a CA of a third party payment application to request theCA of the biological information recognition application to call a TA ofthe biological information recognition application.

In the payment procedure, after requesting for and acquiring an orderfrom a background server, the CA of the third party payment applicationcalls the CA of the biological recognition application to request thesame to call the TA, of the biological recognition application so as toinitiate verification of biological information.

Step 602: calling the TA of the bio logical information recognitionapplication by the CA of the biological information recognitionapplication.

Step 603: collecting, recognizing and verifying biological informationby the TA of the biological information recognition application.

Stop 604: feeding a biological information recognition result by the TAof the biological information recognition CA of the biologicalinformation recognition application.

Step 605; feeding the biological information result by the CA of thebiological information recognition application to the CA of the thirdparty payment application.

Step 606: detecting by the CA of the third party payment application ifthe biological information recognition result indicates thatverification of the biological information is successful; if yes,executing Step 607; if not, ending the procedure.

Step 607: calling a general payment TA by the CA of the third paymentapplication, and requesting the general payment TA to encrypt targetcontent.

The target content is the content to be verified in the paymentprocedure and negotiated by the CA of the third party paymentapplication and a background server. The call request contains a requestparameter indicating a manner by h the general payment TA encrypts thetarget content. In a possible implementation, the request parameterincludes a provider parameter, an alias parameter and an algorithmparameter. The provider parameter indicates calling of the generalpayment TA. The alias parameter may be an identification of the thirdparty payment application and a target user account, and may be used asa key index indicating a user key used in the encryption The algorithmparameter indicates a data encryption algorithm used in the encryption.

Step 608: acquiring, the biological information recognition result Fromthe TA of the biological information recognition application by thegeneral payment TA.

Step 609: if the biological information recognition result indicatesthat verification of the biological information is successful,encrypting the target content by the general payment TA using adesignated data encryption algorithm and a user key corresponding to atarget user account for logging on the third party payment applicationto obtain an encryption result.

Optionally, if the user key is a asymmetrical key, the general paymentTA encrypts the target content using a predetermined data encryptionalgorithm and a private key the user key to reobtain an encryptionresult.

Optionally if the data encryption algorithm is a digital signaturealgorithm, the general payment TA signs the target content using thedigital signature algorithm and the user key to obtain a signatureresult.

Step 610: providing by the general payment TA the encryption result tothe CA of the third party payment application.

Step 611: sending the encryption result by the CA of the third partypayment application to a background server.

Step 612: decrypting the encryption result by the background serverusing the user key corresponding to the target user account to obtaindecryption content, and finishing the payment procedure the decryptioncontent is consistent with the target content.

Optionally, if the user key is an asymmetrical key, the backgroundserver decrypts the encryption result using a public key of the user keyto obtain the decryption content.

An exemplary embodiment of this disclosure also provides a biologicalrecognition technology-based mobile payment apparatus which can realizethe mobile payment method provided by this disclosure. The apparatuscomprise:

a biological information recognition application and a general paymentTrusted Application (TA) operating in a Trusted Execution Environment(TEE);

the apparatus further comprising: a processor; and

a memory storing an instruction executable by the processor,

wherein the processor is configured to:

receive a call request from a third party payment application;

based on the call request, determine target content to be encrypted andan encryption parameter for performing encryption;

acquire a biological information recognition result from the biologicalinformation recognition application,

encrypt the target content according to the encryption parameter and thebiological information recognition result; and

return an encryption result to the third party payment application, sothat the third party payment application performs a payment-relatedoperation based on the encryption result.

FIG. 7 is a block view showing a mobile payment device 700 according toan exemplary embodiment. For example, the mobile payment device 700 maybe a mobile phone, a tablet computer, a mobile PC, a personal digitalassistant (PDA) or the like. As shown in FIG. 7, the mobile paymentdevice 700 comprises: a System-on-a-Chi p (Sec) 702, a memory 704, apower component 706, an input/output (I/O) interface 708 and a sensorcomponent 710.

The Soc 702 is the main processing component of the mobile paymentdevice 700 and controls overall operations of the mobile payment device700. In this embodiment, the Soc 702 includes a REE and a TEE. A CA of abiological information recognition application operates in the REE. Ageneral payment TA and a TA of the biological information recognitionapplication operate in the TEE. The general payment TA may be called byCAs of multiple third party payment applications, After the CA of thebiological information recognition application is called by the CA ofthe third party payment application, the TA of the biologicalinformation recognition application is called. The TA of the biologicalinformation recognition application is used to collect, recognize andverify biological information. After the general payment IA is called bythe CA of the third party payment application, the general payment TAdetermines target content to he encrypted and an encryption parameterfor performing encryption based on the call request, acquires abiological information recognition result from the TA of the biologicalinformation recognition application; encrypts the target contentaccording to the encryption parameter and the biological informationrecognition result; and returns an encryption result to the CA of thethird party payment application, so that the CA of the third partypayment application performs a payment-related operation based on theencryption result. The Soc 702 may include one or more processors toexecute instructions to finish all or some of the steps of the abovemethods.

The memory 704 is configured to store various types of data to supportthe operation of the mobile payment device 700. Examples of such datainclude instructions for any applications or methods operated on themobile payment device 700, contact data, phonebook data, messages,pictures, video, etc. The memory 704 may be implemented using any typeof volatile or non-volatile memory devices, or a combination thereof,such as a static random access memory (SRAM), an electrically erasableprogrammable read-only memory (EEPROM), an erasable progrommableread-only memory (EPROM), a programmable read-only memory (PROM), amad-only memory (ROM), a magnetic memory, a flash memory, a magnetic oroptical disk.

The power component 706 provides power to various components of themobile payment device 700. The power component 706 may include a powermanagement system, one or more power sources, and any other componentsassociated with the generation, management, and distribution of power inthe mobile payment device 700.

The I/O interface 708 provides an interface between the Soc 702 andperipheral interface modules, such as a keyboard, a click wheel,buttons, and the like. The buttons may include, but not limited to, ahome button, a volume button, a starting button, and a locking button.

The sensor component 710 includes more sensors to provide statusassessments of various aspects of the mobile payment device 700. In thisembodiment, the sensor component 710 at least includes a sensor ofbiological information. The biological information includes but is notlimited to one or more of singe rims, rises, units, genes, voices, humanfaces, palm geometry, veins, gaits, handwriting. For instant, the sensorcomponent 710 may includes a fingerprint sensor for collectingfingerprint information.

In exemplary embodiments, the mobile payment device 700 may furtherinclude one or more of a multimedia component, an audio component and acommunication component.

In exemplary embodiments, the mobile payment device 700 may beimplemented with one or more application specific integrated circuits(ASIC), digital signal processors (DSPs), digital signal processingdevices (DSPDs),programmable logic devices (PLDs), field programmablegate arrays (FPGAs), controllers, micro-controllers, microprocessors, orother electronic components, for performing the above described methods.

In exemplary embodiments, there is also provided at non-transitorycomputer-readable storage medium including instructions, such asincluded in ti e memory 704. executable by the processor in t e mobilepayment device 700, for performing the above-described methods. Forexample, computer-readable storage medium may be a ROM, a RAM, a CD-ROM,a tape, a floppy disk, an critical data storage device, and the like.

A non-transitory computer-readable storage medium is provided. Wheninstructions stored in the storage medium are executed by the processorin the mobile payment device 700, the mobile payment device 700 canperform the above methods.

It is noted that the various modules, sub-modules, units and componentsin the present disclosure can be implemented using any suitabletechnology. In an example, a module can be implemented using such asintegrated circuit (IC). In an another example, a module can beimplemented as a processing circuit executing software instructions.

Other embodiments of the invention will be apparent to those skilled inthe art from consideration of the specification and practice of theinvention disclosed here. This application is intended to cover anyvariations, uses, or adaptations of the invention following the generalprinciples thereof and including departures from the present disclosureas come within known or customary practice in the art. It is intendedthat the specification and examples be considered as exemplary only,with a true scope and spirit of the invention being indicated by thefollowing claims.

It will be appreciated that the present invention is not limited to theexact construction that has been described above and illustrated in theaccompanying drawings, and that various modifications and changes can bemade without departing from the scope thereof. It is intended that thescope of the invention only be limited b the appended claims.

The invention claimed is:
 1. A method for performing biometrics basedpayment, comprising: receiving, by a payment Trusted Application (TA)that is executed by processing circuitry and that operates in a TrustedExecution Environment (TEE) on a device, a call request from one of aplurality of third party payment applications that are installed on thedevice and operate with the payment TA, wherein the payment TA isassociated and configured to operate only with payment-relatedoperations and with the plurality of third party payment applicationsinstalled on the device; managing, by the payment TA via the processingcircuitry, an algorithm that comprises at least one key generationalgorithm and at least one data encryption algorithm; generating, by thepayment TA via the processing circuitry, a key required for performingpayment-related operation by using the key generation algorithm;acquiring, by the payment TA via the processing circuitry, a result ofbiometric recognition from a biometric recognition application; storing,by the payment TA via the processing circuitry, the generated key;determining, by the payment TA via the processing circuitry, content tobe encrypted and an encryption parameter for performing encryption basedon the call request; encrypting, by the payment TA via the processingcircuitry, the content according to the encryption parameter and theresult of biometric recognition; returning, by the payment TA via theprocessing circuitry, the encrypted content to the third party paymentapplication that generates the call request, for the third party paymentapplication to perform a payment-related operation based on theencrypted content; detecting, by the payment TA via the processingcircuitry, whether an application key corresponding to the third partypayment application exists in the payment TA at a time to activate thethird party payment application for a biometric recognition basedpayment function; determining, by the payment TA via the processingcircuitry, a first key generation algorithm, a first data encryptionalgorithm, a second key generation algorithm and a second dataencryption algorithm based on the call request when no application keycorresponding to the third party payment application exists in thepayment TA; generating, by the payment TA via the processing circuitry,the application key for the third party payment application using thefirst key generation algorithm; encrypting, by the payment TA via theprocessing circuitry, the application key using the first dataencryption algorithm and a device key of the device; generating, by thepayment TA via the processing circuitry, a user key corresponding to auser account using the second key generation algorithm; encrypting, bythe payment TA via the processing circuitry, the user key using thesecond data encryption algorithm and the application key; returning, bythe payment TA via the processing circuitry, the encrypted applicationkey and the encrypted user key to the third party payment applicationfor the third party payment application to provide the encryptedapplication key and the encrypted user key to a sever; detecting, by thepayment TA via the processing circuitry, whether an application keycorresponding to the third party payment application exists in thepayment TA at a time to activate the third party payment application fora biometric recognition based payment function; determining, by thepayment TA via the processing circuitry, a key generation algorithm anda data encryption algorithm based on the call request when theapplication key corresponding to the third party payment applicationexists in the payment TA; generating, by the payment TA via theprocessing circuitry, a user key corresponding to a user account usingthe key generation algorithm; encrypting, by the payment TA via theprocessing circuitry, the user key using the data encryption algorithmand the application key; and returning, by the payment TA via theprocessing circuitry, the encrypted user key to the third party paymentapplication for the third party payment application to provide theencrypted user key to a server, wherein the biometric recognitionapplication receives the call request from the third party paymentapplication, collects, recognizes and verifies biometrics to obtain theresult of biometric recognition, and sends the result of biometricrecognition to the third party payment application; and when the resultof biometric recognition indicates that verification of biometrics issuccessful, the third party payment application sends the call requestto the payment TA.
 2. The method according to claim 1, whereinencrypting the content according to the encryption parameter and theresult of biometric recognition comprises: detecting, by the payment TAvia the processing circuitry, whether the result of biometricrecognition indicates a success of biometric verification when the thirdparty payment application performs a payment operation for a useraccount; encrypting, by the payment TA via the processing circuitry, thecontent using the encryption parameter and a user key corresponding tothe user account to obtain an encryption result; and returning, by thepayment TA via the processing circuitry, the encryption result to thethird party payment application for the third party payment applicationto provide the encryption result to a server.
 3. The method according toclaim 1, wherein the third party payment application is a ClientApplication (CA) operating in a Rich Execution Environment (REE) in thedevice.
 4. An apparatus, comprising: a processor; and a memory storinginstructions executable by the processor, wherein the processor isconfigured to: execute a payment Trusted Application (TA) that operatesin a Trusted Execution Environment (TEE) on a device; receive, by thepayment TA, a call request from one of a plurality of third partypayment applications that are installed on the device and operate withthe payment TA, wherein the payment TA is associated and configured tooperate only with payment-related operations and with the plurality ofthird party payment applications installed on the device; manage, by thepayment TA, an algorithm that comprises at least one key generationalgorithm and at least one data encryption algorithm; generate, by thepayment TA, a key required for performing payment-related operation byusing the key generation algorithm; acquire, by the payment TA, a resultof biometric recognition from the biometric recognition application;store, by the payment TA, the generated key in the memory, determine, bythe payment TA, content to be encrypted and an encryption parameter forperforming encryption based on the call request; encrypt, by the paymentTA, the content according to the encryption parameter and the result ofbiometric recognition; return, by the payment TA, the encrypted contentto the third party payment application that generates the call request,for the third party payment application to perform a payment-relatedoperation based on the encrypted content; detect, by the payment TA,whether an application key corresponding to the third party paymentapplication exists in the payment TA at a time to activate the thirdparty payment application for a biometric recognition based paymentfunction; determine, by the payment TA, a first key generationalgorithm, a first data encryption algorithm, a second key generationalgorithm and a second data encryption algorithm based on the callrequest when no application key corresponding to the third party paymentapplication exists in the payment TA; generate, by the payment TA, theapplication key for the third party payment application using the firstkey generation algorithm; encrypt, by the payment TA, the applicationkey using the first data encryption algorithm and a device key of theapparatus; generate, by the payment TA, a user key corresponding to auser account using the second key generation algorithm; encrypt, by thepayment TA, the user key using the second data encryption algorithm andthe application key; return, by the payment TA, the encryptedapplication key and the encrypted user key to the third party paymentapplication for the third party payment application to provide theencrypted application key and the encrypted user key to a server;detect, by the payment TA, whether an application key corresponding tothe third party payment application exists in the payment TA at a timeto activate the third party payment application for a biometricrecognition based payment function; determine, by the payment TA, a keygeneration algorithm and a data encryption algorithm based on the callrequest when the application key corresponding to the third partypayment application exists in the payment TA; generate, by the paymentTA, a user key corresponding to a user account using the key generationalgorithm; encrypt, by the payment TA, the user key using the dataencryption algorithm and the application key; and return, by the paymentTA, the encrypted user key to the third party payment application forthe third party payment application to provide the encrypted user key toa server, wherein the biometric recognition application receives thecall request from the third party payment application, collects,recognizes and verifies biometrics to obtain the result of biometricrecognition, and sends the result of biometric recognition to the thirdparty payment application; and when the result of biometric recognitionindicates that verification of biometrics is successful, the third partypayment application sends the call request to the payment TA.
 5. Theapparatus according to claim 4, wherein the processor is configured to:detect, by the payment TA, whether the result of biometric recognitionindicates a success of biometric verification when the third partypayment application performs a payment operation for a user account;encrypt, by the payment TA, the content using the encryption parameterand a user key corresponding to the user account to obtain an encryptionresult; and return, by the payment TA, the encryption result to thethird party payment application for the third party payment applicationto provide the encryption result to a server.
 6. The apparatus accordingto claim 4, wherein the third party payment application is a ClientApplication (CA) operating in a Rich Execution Environment (REE) of theapparatus.
 7. A non-transitory computer-readable storage medium havingstored therein instructions that, when executed by a processor of adevice, causes the device to perform operations for biometricrecognition based payment, the operations comprising: receiving, by apayment Trusted Application (TA) that operates in a Trusted ExecutionEnvironment (TEE) on the device, a call request from one of a pluralityof third party payment applications that are installed on the device andoperate with the payment TA, wherein the payment TA is associated andconfigured to operate only with payment-related operations and with theplurality of third party payment applications installed on the device;managing, by the payment TA, an algorithm that comprises at least onekey generation algorithm and at least one data encryption algorithm;generating, by the payment TA, a key required for performingpayment-related operation by using the key generation algorithm;acquiring, by the payment TA, a result of biometric recognition from abiometric recognition application; storing, by the payment TA, thegenerated key; determining, by the payment TA, content to be encryptedand an encryption parameter for performing encryption based on the callrequest; encrypting, by the payment TA, the content according to theencryption parameter and the result of biometric recognition; returning,by the payment TA, the encrypted content to the third party paymentapplication that generates the call request, for the third party paymentapplication to perform a payment-related operation based on theencrypted content; detecting, by the payment TA, whether an applicationkey corresponding to the third party payment application exists in thepayment TA at a time to activate the third party payment application fora biometric recognition based payment function; determining, by thepayment TA, a first key generation algorithm, a first data encryptionalgorithm, a second key generation algorithm and a second dataencryption algorithm based on the call request when no application keycorresponding to the third party payment application exists in thepayment TA; generating, by the payment TA, the application key for thethird party payment application using the first key generationalgorithm; encrypting, by the payment TA, the application key using thefirst data encryption algorithm and a device key of the mobile terminaldevice; generating, by the payment TA, a user key corresponding to auser account using the second key generation algorithm; encrypting, bythe payment TA, the user key using the second data encryption algorithmand the application key; returning, by the payment TA, the encryptedapplication key and the encrypted user key to the third party paymentapplication for the third party payment application to provide theencrypted application key and the encrypted user key to a sever;detecting, by the payment TA, whether an application key correspondingto the third party payment application exists in the payment TA at atime to activate the third party payment application for a biometricrecognition based payment function; determining, by the payment TA, akey generation algorithm and a data encryption algorithm based on thecall request when the application key corresponding to the third partypayment application exists in the payment TA; generating, by the paymentTA, a user key corresponding to a user account using the key generationalgorithm; encrypting, by the payment TA, the user key using the dataencryption algorithm and the application key; and returning, by thepayment TA, the encrypted user key to the third party paymentapplication for the third party payment application to provide theencrypted user key to a server; wherein the biometric recognitionapplication receives the call request from the third party paymentapplication, collects, recognizes and verifies biometrics to obtain theresult of biometric recognition, and sends the result of biometricrecognition to the third party payment application; and when the resultof biometric recognition indicates that verification of biometrics issuccessful, the third party payment application sends the call requestto the payment TA.
 8. The non-transitory computer-readable storagemedium according to claim 7, wherein the operation of encrypting thecontent according to the encryption parameter and the result ofbiometric recognition comprises: detecting, by the payment TA, whetherthe result of biometric recognition indicates a success of biometricsverification when the third party payment application performs a paymentoperation for a user account; encrypting, by the payment TA, the contentusing the encryption parameter and a user key corresponding to the useraccount to obtain an encryption result; and returning, by the paymentTA, the encryption result to the third party payment application for thethird party payment application to provide the encryption result to aserver.